Windows 8 Password Security

[Retro-style static boot splash graphic in Windows 8.]

I installed Windows 8 Consumer Preview (and some earlier versions as well) into a VM so that I could have a look for changes in password security. After quite a few screenshots etc from CP, I decided to wait for RTM, so that I wouldn't have to an entirely new one if there were major differences. I'm happy I did that. Lets take a look at what we get with Windows 8 in terms of password security.

Preliminary speaking schedule

Just a few links to conferences/events where I will be presenting during the next couple of months:

--
I will be speaking together with my friend Erlend Dyrnes about "social & mobile (in)security" in Haugesund (Norway) on Thursday, 8 August. Co-located with a subsea conference, this security conference is primarily targeted at companies within the Norwegian/international offshore/subsea operations market. Program and more info here: http://www.uop-sikkerhet.no/?page_id=159
--
I will be speaking at a breakfast seminar held by my employer EVRY in Grenland (Porsgrunn, Norway) on Thursday, 23 August. I will be focusing on mobile security issues here as well, with some legal concerns applicable specifically to Norway to top it off.
--
On September 3-5 it is once again time for the annual ISF autumn conference (Program info in Norwegian), where I will give my full story on what happened before and after the story appeared *everywhere*
--
...And I just might also appear at my employers annual EVRY INSIGHT conference in Tønsberg, September 19-20.
--
On September 26-27 the beautiful Hotel Alexandra in Loen will be the arena for the annual IT-forum conference. I will do a keynote there, with the conference using "BYOD - chaos or success?" as this years headline.
--
More to come - and then there's Passwords^12 in December!

----------------

And that was the not-so-important news today. Go Curiosity!

Vacation Observations

[Panorama view from mountain top near Puerto De Pollensa, Mallorca)

Ahh... Vacation.. Those days of the year where infosec professionals get some time to glimpse into another parallel world, by some... wifes... referred to as "the real world". Anyway; I like to take a look around, even when I go on vacation. Here's a few security observations made this summer.

The Final Word on the LinkedIn Leak

As you are undoubtedly aware of by now, two weeks ago the professional networking site LinkedIn became the victim of a rather unfortunate mishap: they sprung a little leak, and 6.4 million password hashes trickled out onto the internet. And in those two short weeks, hundreds of security experts the world over, all of various backgrounds whose hats range from white to black, have been feverishly clawing their way through that list in an attempt to crack all 6.4 million passwords. However, few have made more progress in their pursuit than my associate d3ad0ne and me.

Linkedin Password Infographic

[ Oh yeah, you can click it for *full* size! Free to use, please show credits. ] 

  
Jeremi Gosney (@jmgosney) have done a terrific job on cracking the Linkedin hashes. In fact, he has cracked some 90% of them now. So I asked Jeremi if I could ask one of my UX colleagues to try to make an infographic, he happily agreed. The result can be seeen in all its glory from the above supersize infographic (Print it if you like!)

Analyzing PIN codes

[ A load of PIN codes visualized ]

You can click the image above to see it full size. It is a heatmap generated by us (@KluZz and myself), and the data are 4-digit PINs extracted from a physical access control system. According to the system operators, more than 50% of the PINs are believed to be selected by the users themselves, while the remaining ones are randomly generated by the system when a new 'user' is created and physical card is issued. The complete data set includes PINs for guest visitor cards etc.

According to Norwegian privacy laws, we didn't request and didn't get any ownership information on each PIN, so they cannot be traced back to individual users.

Now you may ask why did we do this?

Live Memory Password Aquisition

[ Screenshot of Passware Kit Forensic ]

Congratulations to Passware on their newest release of Passware Kit Forensic, now at version 11.7. This new release brings "instant" decryption of Microsoft Office 2007-2010 password protected documents through memory analysis, as well as some other interesting new features. I am quoted in their press release, available here (PDF): http://www.lostpassword.com/pdf/pr-120521.pdf

 Lets take a look at these new features from a threat/risk perspective:

Note to self: Inception + Ubuntu 12.04LTS

If you want to get inception up and running on (default config) Ubuntu 12.04LTS, you should expand your dependencies installation like this (adding juju, doxygen and g++):

sudo apt-get install git cmake python3 doxygen g++ juju


Now go ahead with the rest of the installation. :-)

Forbud mot skimmingutstyr

[Klikk på bildet for full størrelse]

Navnet på denne bloggposten + bildet over bør være en god indikasjon på hva denne bloggposten handler om. Legger jeg til endringen i straffelovens § 186, som annonsert i pressemelding 151-2010 fra Justis- og Beredskapsdepartementet 10. desember 2010, så kommer vi enda nærmere.

Challenge received

[Picture from lego.com - I'm a Star Wars fan!]

"Accept the challenge I do, your Highness". (Yoda, Star Wars)

Kirsi Helkala gave presentations at both Passwords^10 and Passwords^11. Her work on passwords is fascinating, now working as a associate professor at Gjøvik University College in Norway. See her list of publications to understand what I'm talking about. She has given me a challenge - nine in fact - all being unsalted MD5s. I need help! :-)